[Bro] Question about capture loss script vs. broctl netstats

Derek Banks itsecderek at gmail.com
Tue Jun 25 11:07:05 PDT 2013


I apologize if this has been answered already - I was searching through the
list archives and did't seem to find the answer.

I have configured a RHEL 6 server with the latest Bro from the repository
and pf_ring 5.2.2.

It seems pf_ring works - I run pfcount on my capture interface and it sees
traffic and reports no packet loss.

I have Bro configured per the post at
http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.htmland
everything starts fine and Bro is up and running.

I run netstats in the Broctl shell and get:

worker-0-1: 1372179895.260001 recvd=64969350 dropped=0 link=64969350
worker-0-2: 1372179895.461289 recvd=66422051 dropped=0 link=66422051
worker-0-3: 1372179895.660990 recvd=64099315 dropped=0 link=64099315
worker-0-4: 1372179895.861853 recvd=61738222 dropped=0 link=61738222

But in the notice.log file I see:
1372179930.880560    -    -    -    -    -    -
CaptureLoss::Too_Much_Loss    The capture loss script detected an estimated
loss rate above 38.520%    -    -    -    -    -    worker-0-3
Notice::ACTION_LOG    3600.000000    F    -    -    -    --
1372179930.908354    -    -    -    -    -    -
CaptureLoss::Too_Much_Loss    The capture loss script detected an estimated
loss rate above 37.415%    -    -    -    -    -    worker-0-4
Notice::ACTION_LOG    3600.000000    F    -    -    -    --
1372179930.923939    -    -    -    -    -    -
CaptureLoss::Too_Much_Loss    The capture loss script detected an estimated
loss rate above 40.462%    -    -    -    -    -    worker-0-1
Notice::ACTION_LOG    3600.000000    F    -    -    -    --
1372179930.923939    -    -    -    -    -    -
CaptureLoss::Too_Much_Loss    The capture loss script detected an estimated
loss rate above 42.910%    -    -    -    -    -    worker-0-2
Notice::ACTION_LOG    3600.000000    F    -    -    -    --

So my question is, am I dropping packets or am I good to go?

Best Regards,
Derek Banks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130625/01b3a62a/attachment.html 


More information about the Bro mailing list